That was the bottom line from a report issued today by the watchdogs at the Government Accountability Office that stated until rules that specifically address information security for cloud computing are developed, federal agencies may be hesitant to implement cloud computing, and those programs that have been implemented may not have effective information security controls in place placing information at risk.

According to the GAO 22 of 24 major agencies reported that they are either concerned or very concerned about the potential information security risks associated with cloud computing. Several of these risks relate to being dependent on a vendor's security assurances and practices. Specific risks were:

Controls: the possibility that ineffective or non-compliant service provider security controls could lead to vulnerabilities affecting the confidentiality, integrity, and availability of agency information;

Loss: the potential loss of governance and physical control over agency data and information when an agency cedes control to the provider for the performance of certain security controls and practices;

Bad apples: the insecure or ineffective deletion of agency data by cloud providers once services have been provided and are complete; and potentially inadequate background security investigations for service provider employees that could lead to an increased risk of wrongful activities by malicious insiders.

Shared goods: Multitenancy, or the sharing of computing resources by different organizations, can also increase risk. Twenty-three of 24 major agencies identified multitenancy as a potential information security risk because one customer could intentionally or unintentionally gain access to another customer's data, causing a release of sensitive information. Another concern is the increased volume of data transmitted across agency and public networks. This could lead to an increased risk of the data being intercepted in transit and then disclosed.

The GAO stated that while several government cloud computing security projects are under way by organizations such as the Office of Management and Budget (OMB) and the General Services Administration (GSA), significant work remains to be completed. For example, OMB told the GAO that it began a federal cloud computing initiative in February 2009; however, it does not yet have an overarching strategy or an implementation plan. According to OMB officials, the initiative includes an online cloud computing storefront managed by GSA and will likely contain several pilot cloud computing projects. However, as of March 2010, a date had not been set for the release of the strategy or for any of the pilots. In addition, OMB has not yet defined how information security issues will impact the project.

While the Federal CIO Council is developing a shared assessment and authorization process, which could help foster adoption of cloud computing, this process remains incomplete, and GSA has yet to develop plans for a shared assessment and authorization process for its procurement of cloud computing infrastructure as a service offering, the GAO stated.

According to the GAO while there are numerous potential information security risks related to cloud computing, these risks may vary based on the particular deployment model. For example, the National Institute of Standards and Technology says private clouds may have a lower threat exposure than community clouds, which may have a lower threat exposure than public clouds.

It's not that cloud computing outlook is bleak though. The GAO found that the use of virtualization and automation in cloud computing can expedite the implementation of secure configurations for virtual machine images. Several agencies told the GAO that cloud computing provides a reduced need to carry data in removable media because of the ability to access the data through the Internet, regardless of location. The GAO found that 22 of 24 major agencies identified low-cost disaster recovery and data storage as a potential benefit. The self-service aspect of cloud computing may also provide benefits. For example, 20 of 24 major agencies identified the ability to apply security controls on demand as a potential benefit.

Cooney is an Online News Editor and the author of the Layer 8 blog, Network World's daily home for the not-just-networking news. He has been working with Network World since 1992. You can reach him at mcooney@nww.com.